Surveillance bill could hitch a ride

SURVEILLING THE TEA LEAVES — Congress appears increasingly likely to use an upcoming spending bill as a vehicle to push through the reauthorization of controversial online spying tools.

Story Continued Below

The House Intelligence Committee on Friday approveda bill (H.R. 4478) to renew the statute that authorizes those tools, Section 702 of the Foreign Intelligence Surveillance Act. The move all but ensures the measure, or a similar Senate draft, will be attached to a temporary spending bill or long-term budget deal. The panel voted 13-8 along party lines after a bitter, often very heated, debate over language revising the "unmasking" process, which allows the government to expose the identity of Americans included in intelligence reports.

“I think, effectively, we have ceded to the Senate the draftsmanship for whatever will end up in a must-pass bill,” Rep. Adam Schiff, the panel’s top Democrat, said after the vote. Senate Intelligence Chairman Richard Burr has repeatedly stated he wouldn’t object to hitching his panel’s Section 702 bill (S. 2010) to another measure.

The reauthorization will be attached to another must-pass bill “without reform,” predicted Rep. Eric Swalwell, the top Democrat on the House’s CIA subcommittee. He even suggested that congressional leaders might seek to hitch a so-called “clean” renewal, without any changes to the current statute, to a temporary or catch-all legislative vehicle. Swalwell, who serves on both the House Intelligence and Judiciary committees, called the outcome of Friday’s vote “unfortunate.” “There are reforms that are needed,” he told POLITICO.

Rep. Tom Rooney, who chairs the Intelligence Committee’s NSA subpanel, stood by the GOP position of keeping the unmasking alterations in the bill. “It’s really, really unfortunate,” he said, speculating that Democrats wanted to cut the language because it would imply some kind of wrongdoing by Obama administration officials during the last presidential transition. “But you know what? I’m not going to get mad about it. I’m just glad we’re in the majority, because the country’s going to safer for it and, at the end of the day, that’s our job.”

THE PLAYBOOK POWER LIST: 18 TO WATCH IN 2018: The final Playbook Power List of the year highlights 18 politicians, activists and operatives across the country who are poised to make waves in 2018. From the anti-Trump "Resistance" on the left to the far right Bannonite wing trying to remake the GOP, keep an eye on these people over the next 12 months. Click HERE to find out who made the list.

STATE DEPARTMENT EXPLAINS CYBER OFFICE CLOSURE — The State Department closed its longstanding cyber diplomacy office because “cyber statecraft requires a more deliberate and systematic treatment than the standalone office of a coordinator can provide,” according to the agency’s chief congressional liaison. To replace the former Office of the Coordinator for Cyber Issues, Secretary of State Rex Tillerson established a cyber and telecommunications team inside the economic bureau that “will be led, resourced and organized to execute a comprehensive and fully integrated cyber policy and digital economy strategy,” said Charles Faulkner, a senior official in State’s Bureau of Legislative Affairs, in a Nov. 6 letter to Rep. Debbie Dingell. The letter, which has not been previously reported, responded to a missive from 22 Democratic lawmakers, led by Dingell, urging Tillerson to keep the cyber office.

“It is extremely disappointing Secretary Tillerson chose to move forward with the closure of the State Department’s Cyber Office, leaving the U.S. as the only major country without a lead cybersecurity diplomat,” Dingell said in a statement to MC. Given the increasing cyber threat from governments and other malicious actors, “a strong and coordinated response from government agencies and the private sector is crucial,” she added. Tillerson’s move was unpopular with some cyber policy experts, as well as the leaders of the House Foreign Affairs Committee, who introduced a bill — recently approved by the panel — to reverse the change. “It is my hope that the House will act swiftly to pass” the bill, Dingell said, because it “reestablishes the U.S. as a leader in this area.” EG

NO “THERE” THERE — Credit reporting giant Equifax offered only a cursory explanation of its digital defenses in response to a Senate Commerce Committee inquiry following its massive data breach, according to a copy of the firm’s responses shared with MC. On Sept. 8, the commerce panel asked Equifax how it complied with the Gramm-Leach-Bliley Act’s Safeguard Rule, which requires financial companies to protect customer data. Equifax ignored that question in its initial Sept. 25 response letter, which included information about the company’s response to its data breach. In a subsequent letter, dated Oct. 6, the company described in general terms its “robust security program” and the “administrative, technical and physical safeguards” it used to protect Americans’ sensitive financial information.

“Security incidents are classified according to severity and escalated to management personnel as appropriate,” the company said, though it offered no explanation for how this classification or escalation worked. Equifax said its security team included “incident response managers” and a “Cyber Threat Center … staffed by security professionals.” Those professionals, the company added, use “technological capabilities to monitor the company’s network.” Equifax’s response also includes the executive summary of the incident report that cyber firm Mandiant prepared for the company. Mandiant’s security recommendations included “enhanced vulnerability scanning” and setting up roadblocks between internet-connected systems and vital databases.

KASPERSKY’S GOT MORE PROBLEMS— The U.K. is joining the United States in sounding the alarm about the risks posed by Russia-owned antivirus firm Kaspersky Lab. But it's holding off on a complete ban — for now. “We're discussing whether a framework can be developed (that we and others can independently verify) that provides the UK with assurance about the security of their involvement in the wider UK market,” Ian Levy, technical director at the National Cyber Security Centre, wrote in a blog post late last week. “If we can't develop solutions with these suppliers that we feel mitigate the risk to UK national security, other solutions will be needed.”

However, Levy wrote that there is “almost no base of Kaspersky” software in the U.K. government and advised against “ripping out Kaspersky software at large.” Separately, Ciaran Martin, head of the agency, wrote to senior government employees that “we advise that where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based [antivirus] company should not be chosen.”

FLYNN IMBROGLIO GOES TO COURT— Former national security adviser Michael Flynn pleaded guilty late last week to lying to the FBI about conversations he had with then-Russian Ambassador Sergey Kislyak regarding sanctions the Obama administration imposed on the Kremlin for election hacking. Flynn told agents he hadn’t asked Kislyak to avoid escalating in response to the sanctions, but court documents stated that was not true. The documents also asserted that senior members of the Trump transition team knew about the conversations.

President Donald Trump himself, meanwhile, stepped into potential legal hot water in a tweet about the Flynn news. "I had to fire General Flynn because he lied to the Vice President and the FBI,” the president said. “He has pled guilty to those lies. It is a shame because his actions during the transition were lawful. There was nothing to hide!" Some legal experts suggested that the tweet, reportedly written by his personal lawyer, amounts to an admission of obstruction of justice, since at the time he was pressuring then-FBI Director James Comey to drop the Flynn investigation, according to Comey. Trump denies Comey’s claim, which Comey made under oath before Congress.

UBER EXITS— Data breaches continue to claim the scalps of corporate leaders. Three more senior security officials are out at Uber in the fallout over the company’s major data breach, Reuters reports. One of the officials who’s resigning is Pooja Ashok, chief of staff to the former chief security officer, Joe Sullivan, whom Uber already had fired over the incident. The other two are Prithvi Rai, a senior security engineer, and Jeff Jones, who was in charge of physical security.

RECENTLY ON PRO CYBERSECURITY— “A former NSA employee whose use of Kaspersky software allegedly let the Russian government steal classified intelligence documents has pleaded guilty to taking those documents home.” … House Judiciary Democrats want a Justice Department briefing on what it’s doing to defend against future foreign election meddling.

About The Author : Tim Starks

Tim Starks has written about cybersecurity since 2003, when he began at Congressional Quarterly as a homeland security reporter. While at CQ Roll Call, he mainly covered intelligence, but he also had stretches as a foreign policy reporter and defense reporter. In 2009, he won the National Press Club's Sandy Hume Memorial Award for Excellence in Political Journalism.

He left CQ Roll Call in March of 2015. Before coming to Politico he spent several months freelancing, writing for the Economist, the New Republic, Foreign Policy, Vice, Bloomberg and the Guardian.

He grew up in Evansville, Ind. and graduated from the University of Southern Indiana with a degree in print journalism. His first full-time reporting job was covering city hall for the Evansville Press, the former afternoon daily. He was a Pulliam Fellow at the Indianapolis Star, and participated in the Politics and Journalism Semester at the chain of newspapers anchored by the Las Vegas Review-Journal. He also was the Statehouse Bureau Chief at the Evansville Courier & Press and established the Washington bureau of the New York Sun. Some of his other freelance work has been for the Chicago Tribune, Glamour, Deutsche Welle, Ring and BookForum.

He is the founder of The Queensberry Rules, dubbed an "indispensable boxing blog" by the Wall Street Journal. He's also fond of fantasy basketball and real-life basketball — he is from Indiana, after all — and gets way too bent out of shape over people rooting against the home team or not walking on the right side of the sidewalk.